`dnssec-signzone -N unixtime` behaves like `increment`
Summary
I recently upgraded from Debian 9.13 to 10.4. Starting from this date "dnssec-signzone -N unixtime" does not work any more causing my DNS slaves to fail receiving changes.
With Debian 9 dnssec-signzone -N unixtime (9.10.3.dfsg.P4-12.3+deb9u6) uses the current unix timestamp as the serial numer for the generated signed zone, however, with the version shipped with Debian 10 the serial number is just incremented from the to be signed zone file. As I use a common zone-template for a huge nubmer of zones, every further signing of the template will use the very same serial numer (template serial number + 1).
I use the following command to sign my zones (using a script):
/usr/sbin/dnssec-signzone -o ZONE.TLD. -e +1209600 -N unixtime zone.db K*.privateI don't get any warning or error. I checked that "-N date" uses the current date, however, "date" does not fit the needs of my scenario (see above).
Further investigation of Bernhard Schmidt (cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966422#10) revealed that this seems to be caused by a new check: If the "new" serial number is lower than the old one, increment is used instead of the requested unixtime.
cross-ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966422
BIND version used
9.11.5-P4-5.1+deb10u1-Debian
Steps to reproduce
- Have a zonefile with a SOA serial number such as
2020072900 - Execute
/usr/sbin/dnssec-signzone -o ZONE.TLD. -e +1209600 -N unixtime zone.db K*.private
What is the current bug behavior?
The signed zone file has the serial number 2020072901
What is the expected correct behavior?
The signed zone file should have the current unix timestamp as serial number.
Possible fixes
I understand that the new behavior might be a feature, so that the signed zone file never has a serial number less than the unsigned zone file. However, this behavior change caused lots of trouble for me. I would at least expect a warning of dnssec-signzone that the unix time was not used ...